Back to Community
Home / Community / General

Troubleshooting Common Sucuri Security Plugin Lockouts and Access Issues

32 threads Sep 9, 2025

Content

Many WordPress administrators rely on the 'Sucuri Security – Auditing, Malware Scanner and Security Hardening' plugin to protect their sites. However, its powerful security features can sometimes lead to unexpected lockouts or access denied errors. This guide covers the most common reasons for these issues and provides step-by-step solutions to regain access to your site.

Why Am I Getting Locked Out or Seeing Access Denied Errors?

Lockouts and access issues typically fall into one of three categories:

  1. Plugin Conflicts: The Sucuri plugin may conflict with other security or login-related plugins, causing login loops, 500 errors, or 404 pages.
  2. Server-Level Blocking: If you use the Sucuri Website Firewall (a separate service), blocking happens at the server level before a request even reaches your site. The free plugin itself does not block IP addresses.
  3. Hardening or Settings Issues: Certain hardening features, like hiding the login page or protecting the wp-admin directory, can malfunction, especially after site migrations or updates.

How to Regain Access to Your Site

Step 1: Disable the Plugin via FTP/SFTP

This is the most critical first step if you are completely locked out. It will help you determine if the Sucuri plugin is the source of the problem.

  1. Connect to your site using an FTP client like FileZilla or your web host's file manager.
  2. Navigate to the /wp-content/plugins/ directory.
  3. Locate the sucuri-scanner folder.
  4. Rename it to something like sucuri-scanner-OFF.

This will deactivate the plugin. Try to access your WordPress login page again. If you can log in, the issue was likely related to the plugin. If you are still locked out, the problem is almost certainly being caused by a server-level firewall (like the Sucuri WAF) or another security plugin.

Step 2: Identify the True Source of the Block

Once you're back in your dashboard, it's time to diagnose the root cause.

  • Check for Other Security Plugins: Deactivate any other security plugins (e.g., All In One Security, Limit Login Attempts Reloaded) and test your site's functionality. Reactivate them one by one to identify a conflict.
  • Review Hardening Settings: If you were using features like "Change WP-Admin Address" or "Harden php.php," these can break after a site move or theme update. After renaming the plugin folder back, review and reconfigure these settings carefully.
  • Check for a Server Firewall: If you see messages like "Access Denied – Sucuri Website Firewall," this indicates a block at the server level, not from the WordPress plugin. You would need to whitelist your IP address in your Sucuri Firewall dashboard, which is a separate service.

Step 3: Investigate and Resolve Common Conflicts

Based on community reports, these specific scenarios often cause problems:

  • Conflict with Login Plugins: Plugins like Clef, User Switching, or Members can have conflicts. Try disabling the "Success Login Redirect" feature in Sucuri's Alert settings.
  • False Positives on Forms/AJAX: The server-level firewall might block form submissions or AJAX calls (like in Contact Form 7 or admin-ajax.php), flagging them as SQL injection or backdoor attempts. This requires whitelisting the action or your IP in the firewall settings.
  • Post-Migration Login Issues: If you recently moved your site, URL changes can break the "Hide WordPress Version" or login hardening features. Disabling the plugin before migration and reconfiguring it afterward is the safest approach.

Conclusion

Being locked out of your own website is a frustrating experience. In most cases, the issue is not a bug in the Sucuri Security plugin itself but a conflict with another component or a misconfigured setting. The definitive troubleshooting step is always to disable the plugin via FTP. If the problem persists, your investigation should focus on server-level firewalls or other plugins. Always remember to reconfigure any security settings carefully after resolving the conflict.

Related Support Threads Support